Saved By Business

Critical New Windows 0Days Being Actively Exploited

3 min read

LoadingIncrease to favorites

Vulnerabilities are in atmfd.dll: a kernel module delivered by Windows

All presently supported versions of Microsoft Windows (server and desktop) are uncovered to two new distant code execution (RCE) vulnerabilities which are currently being actively exploited in the wild in “limited focused attacks” — and there is no patch however.

The new Windows 0days are in atmfd.dll: a kernel module that is delivered by Windows and which gives guidance for OpenType fonts. (Although recognised, in whole, as “Adobe Style Manager Font Driver”, it is Microsoft’s code, not Adobe’s).

Stability authorities at France’s Orange Cyberdefense said if atmfd.dll was not present on a device (it is not, evidently, on all) then mitigation was unwanted. Pc Organization Assessment could not straight away validate this. Mitigations are urgent. 

Microsoft warned now of the flaws (foundation CVSS: 10) that “there are multiple approaches an attacker could exploit the vulnerability, this kind of as convincing a consumer to open a specifically crafted doc or viewing it in the Windows Preview pane”.

It has posted a sweeping variety of remediation possibilities but recommended that a patch might not be ready until eventually April 14’s “Patch Tuesday”. No credit score for the disclosure was given it was not straight away very clear how the RCE’s ended up determined.

It is not the to start with time that atmfd.dll has been the cause of protection woes: two early January 2018 vulnerabilities disclosed to Microsoft by Google’s Venture Zero (CVE-2018-0754 CVE-2018-0788) also entailed protection flaws in the module: those two CVES (which included how it handles objects in memory) needed community access.

New Windows Vulnerability 

Microsoft said (ADV200006): “[The two RCEs exist] when the Windows Adobe Style Manager Library improperly handles a specifically-crafted multi-learn font – Adobe Style 1 PostScript format…  For methods jogging supported versions of Windows 10 a productive assault could only final result in code execution inside an AppContainer sandbox context with confined privileges and abilities.”

MSFT said: “Disabling the Preview and Specifics panes in Windows Explorer prevents the automated display screen of OTF fonts in Windows Explorer. Although this prevents destructive information from currently being viewed in Windows Explorer, it does not avert a community, authenticated consumer from jogging a specifically crafted method to exploit this vulnerability.

Direction on disabling these panes is offered listed here.

Microsoft is mindful of this vulnerability and performing on a deal with, the firm said: “Updates that handle protection vulnerabilities in Microsoft computer software are commonly unveiled on Update Tuesday, the 2nd Tuesday of each individual month. This predictable program lets for companion good quality assurance and IT organizing, which will help keep the Windows ecosystem as a dependable, secure selection for our shoppers.”

See also: “A Sweetheart Deal, Performed in Secret”: Intel and Micron Sued Over 3D XPoint